Whistleblowing | Workplace Compliance

UK Economic Crime and Corporate Transparency Act 2023 (ECCTA)

A significant UK regulation that introduces a corporate criminal offense for failure to prevent fraud, holding large organizations liable if they lack reasonable procedures to prevent associated persons from committing fraud for their benefit.

Region: UK/
Sector: Public & Private/
Effective date: 10/26/2023/
Last regulatory update: 09/01/2025/
Mandatory:Yes/
Schedule a Consultation

Table of contents

    What Is the Economic Crime and Corporate Transparency Act?

    The Economic Crime and Corporate Transparency Act 2023 is a wide-ranging piece of UK legislation that addresses corporate criminal liability, company registration reform, and the investigation and prosecution of economic crime. Notably, from 1 September 2025, failure to prevent fraud became a punishable offense under section 199 of the Act.

    Organizations bound by section 199 include large organizations, defined as incorporated bodies or partnerships that meet at least two of the following criteria in the financial year preceding the year in which the underlying fraud is committed:

    1. More than 250 employees
    2. More than £36 million in annual turnover
    3. More than £18 million in total assets

    These thresholds apply to the whole organization, including subsidiaries. Individual subsidiaries that meet the criteria are also included within the scope. The offense applies to UK and overseas companies, and partnerships that carry on business in the UK, with extraterritorial reach where any part of the underlying fraud occurred in the UK, or where the gain or loss occurred there.

    The Act protects workers and individuals who might become victims of fraud committed by or through large organizations. Additionally, ECCTA strengthened the UK’s approach to tackling economic crime by expanding the Serious Fraud Office’s (SFO) pre-investigation powers and reforming corporate criminal attribution.

    Key ECCTA Provisions

    Failure to Prevent Fraud (Section 199)

    Large organizations are strictly liable if an associated person commits a specified fraud offense for the organization's benefit, and the organization did not have reasonable prevention procedures in place.

    Senior Manager Attribution (Section 196)

    Corporate criminal liability can now be established when a senior manager (not just a "directing mind") commits or authorizes an economic crime.

    Expanded SFO Powers (Section 211)

    The SFO can compel documents and testimony before formally opening an investigation, in cases of serious or complex fraud, not only international bribery cases.

    Identity Verification at Companies House

    New requirements for directors and persons with significant control to verify their identity are being phased in between 2024 and 2026.

    Who Is Responsible for the ECCTA?

    The Serious Fraud Office (SFO) is the primary enforcement authority for the section 199 offense and has signaled its intent to actively enforce the offense since section 199 came into effect. The Crown Prosecution Service (CPS) can also prosecute offenders within its jurisdiction.

    The SFO and CPS published the updated Joint Corporate Prosecutions Guidance on 18 August 2025, setting out their shared approach to charging decisions under the ECCTA.

    Companies House is responsible for enforcing the identity verification and registration provisions of the Act, while the Financial Conduct Authority (FCA) may have parallel jurisdiction where ECCTA conduct overlaps with its regulated activities.

    What Are the Possible Penalties Under the ECCTA?

    An organization convicted of the failure to prevent a fraud offense under section 199 is liable to an unlimited fine with no statutory ceiling. Courts will consider the scale and nature of the underlying fraud, the degree of harm caused, and any mitigating steps taken, including self-reporting and cooperation with investigators.

    The SFO’s preference for Deferred Prosecution Agreements (DPAs) in appropriate cases means organizations that proactively cooperate have a pathway to resolution without a contested prosecution. Nevertheless, DPA terms typically include substantial financial penalties, compliance monitoring, and mandatory improvements to internal procedures.

    Additionally, individual senior managers whose consent or connivance contributed to the underlying fraud may separately face personal criminal liability under existing 'consent and connivance' provisions (e.g., section 12 of the Fraud Act 2006), independent of the organization's own liability under section 199.

    What Does the ECCTA Require?

    Under ECCTA, the only defense to the section 199 offense is that the organization had reasonable prevention procedures in place at the time the fraud occurred. If it were not reasonable to have such procedures, for example, in the case of a newly incorporated entity, this may also be considered.

    The Home Office set out six core principles for reasonable fraud prevention frameworks:

    Core ECCTA Fraud Prevention Requirements

    Top-Level Commitment

    Senior leadership must visibly endorse the fraud prevention program and promote a culture of integrity.

    Risk Assessment

    The organization must conduct a documented assessment of its exposure to fraud across functions, third parties, and geographies.

    Proportionate Risk-Based Procedures

    The organization must implement controls tailored to its identified risk profile, rather than relying on a generic checklist.

    Due Diligence

    The organization must carry out risk-based screening of associated persons, including employees, agents, and subsidiaries.

    Communication & Training

    Anti-fraud policies must be communicated to relevant staff and third parties, with targeted training provided where appropriate.

    Monitoring & Review

    The organization must continuously monitor the performance of its fraud prevention framework and conduct periodic reviews.

    These principles closely mirror those set out in the Bribery Act 2010 for the adequate procedures defense. Organizations that already have an anti-bribery compliance program should assess whether it also covers fraud prevention, and, if not, update it accordingly.

    For an offense to fall under section 199, it must be committed by an associated person, such as an employee, agent, employee of a subsidiary, or another third party providing services for or on behalf of the organization. Additionally, the fraud must be intended to benefit the organization directly or indirectly. Fraud committed solely for personal gain does not qualify.

    It is vital that organizations document their fraud risk assessment and maintain records demonstrating the existence and operation of preventative measures. The SFO has indicated that companies unable to produce evidence of a functioning fraud-prevention framework at the time of any alleged offense may face significant difficulty in establishing a defense.

    Why Is the ECCTA Important?

    ECCTA fundamentally changed corporate criminal exposure in the UK. For decades, prosecuting large organizations for fraud required proving that a “directing mind” of the company had committed or authorized the offense, a threshold that was often difficult to meet in complex, multi-layered organizations.

    Section 199 removed that barrier by introducing strict liability when an associated person commits fraud for the organization’s benefit, without requiring prosecutors to identify which individuals within senior leadership were aware of the misconduct.

    The SFO Director made the organization’s enforcement intentions clear even before the September 2025 amendment took effect, stating publicly that the SFO intended to bring the first prosecution against organizations that failed to prepare. 

    For compliance officers, this signaled a significant shift in corporate accountability and reinforced the need to review and strengthen fraud prevention procedures. 

    How FaceUp Helps Comply with the ECCTA

    ECCTA’s Section 199 underscores the importance of accessible, confidential reporting channels that enable employees and associated persons to safely and without fear of retaliation raise concerns about suspected fraud.

    FaceUp provides organizations subject to ECCTA and the UK Public Interest Disclosure Act whistleblowing regime with an easy-to-use solution, deployable in as little as two hours, enabling reporting via web forms, 24/7 hotlines, and iOS/Android apps in 113 languages.

    Centralized case management with automatic activity logging helps create a documented audit trail for every report, follow-up action, and resolution, demonstrating the existence of effective internal procedures that support ECCTA defense.

    Quick Facts

    Applies to

    Large UK and overseas organizations carrying on business in the UK that meet at least 2 of the following criteria: 250+ employees, 36M+ turnover, or 18M+ in assets.

    Penalties

    Unlimited fine for organizations convicted of failure to prevent fraud; 
    personal liability for senior managers in applicable cases

    The FaceUp Solution

    FaceUp is an anonymous reporting and compliance platform designed to help businesses meet whistleblowing regulations worldwide, including those in the US, EU, UK, and UAE.

    • Fully Anonymous Reporting

      Give staff multiple secure channels to report their concerns, complete with an anonymous two-way chat.

      • Mobile-First Accessibility

      • No IP storage, no device IDs, encrypted submissions

      • Customizable forms, categories, routing rules, and more

      Explore Reporting
    • Customizable Case Management

      Create an easily verifiable audit trail through a customizable case management system with automatic routing.

      • Supports multiple locations, subsidiaries, or units

      • Entity-specific routing and access permissions

      • Optional notifications via email, Teams, or Slack

      Explore Case Management
    • FaceUp - Risk & Compliance Analytics

      Real-Time Data Analytics

      Identify trends, repeated issues, and escalation risks early with customizable visual real-time dashboards.

      • Filter by category, region, channel, and more

      • Share without revealing sensitive information

      • ISO 27001 and SOC 2-certified local servers

      Explore Analytics

    Explore How FaceUp Can Help Your Organization